#!/usr/bin/perl -w

use strict;
use warnings;

use Data::Dumper;
use DateTime;
use DateTime::Format::DateParse;
use Net::DNS;
use LWP::Simple;
use Encode qw/encode_utf8/;

use CIF::Message::Malware;
use CIF::Message::DomainSimple;
use Getopt::Std;

my %opts;
getopts('Fe:d',\%opts);
my $debug = $opts{'d'};
my $example_domain = $opts{'e'};
my $full_load = $opts{'F'};
my $nsres = ($full_load) ? undef : Net::DNS::Resolver->new(nameservers => ['8.8.8.8','8.8.4.4'], recursive => 0);
my $goback = ($full_load) ? undef : DateTime->from_epoch(epoch => (time() - 84600));
$goback = $goback->ymd().'T'.$goback->hms().'Z' if($goback);

my $partner = 'malwaredomains.com';
my $url = 'http://www.malwaredomains.com/files/domains.txt';
my $timeout = 5;
my $content = encode_utf8(get($url));
my @lines = split(/\n/,$content);
my $hash;

# we're basically transforming this into an RSS feed
# using things like hashref's and sorts
foreach (@lines){
    $_ =~ s/\r//;
    $_ =~ s/^[\t]+//;
    $_ =~ s/[\t]+/,/g;
    next if(/^#/);
    my ($d,$t,$r,$dt) = split(',');
    $dt = eval { DateTime::Format::DateParse->parse_datetime($dt) };
    $dt = DateTime->from_epoch(epoch => time()) unless($dt);
    $dt = $dt->ymd().'T'.$dt->hms().'Z';
    my $h = {
        'type'  => $t,
        'ref'   => $r,
        'dt'    => $dt,
    };
    $hash->{$d} = $h;
}

my @sorted = sort { $hash->{$b}->{'dt'} cmp $hash->{$a}->{'dt'} } keys %$hash; 

foreach my $domain (@sorted){
    my $h = $hash->{$domain};
    my $type        = $h->{'type'};
    my $orig_ref    = $h->{'ref'};
    my $date        = $h->{'dt'};

    unless($full_load){
        next if(($date cmp $goback) == -1);
    }

    if($example_domain){
        next unless($domain =~ /$example_domain/);
    }
    warn $domain if($debug);
    warn $date if($debug);

    $type = 'unknown' if($type eq 'malware' || $type eq 'threat');

    my $uuid; 
    if($orig_ref =~ /md5\=([0-9a-fA-F]{32})$/){
        my $hash_md5 = $1;
        $uuid = CIF::Message::Malware->insert({
            description => 'malware '.$type.' - '.$hash_md5,
            source      => $partner,
            hash_md5    => $hash_md5,
            impact      => 'malware '.$type,
            restriction => 'need-to-know',
            severity    => 'medium',
            confidence  => 5,
            alternativeid  => 'http://www.malwaredomains.com/files/domains.txt',
            alternativeid_restriction => 'public',
            detecttime  => $date,
       });
       $uuid = $uuid->uuid();
    }
    
    my $impact = 'malicious domain '.$type;
    my $desc = $impact.' '.$domain;

    my $id = CIF::Message::DomainSimple->insert({
        nsres       => $nsres,
        relatedid   => $uuid,
        address     => $domain,
        source      => $partner,
        confidence  => 5,
        severity    => 'medium',
        impact      => $impact,
        description => $desc,
        detecttime  => $date,
        restriction => 'need-to-know',
        alternativeid  => 'http://www.malwaredomains.com/files/domains.txt',
        alternativeid_restriction => 'public',
    });
    $uuid = ($id =~ /^\d+$/) ? $id->uuid() : $id;
    print $partner.' -- '.$domain.' -- '.$date.' -- '.$uuid."\n";
}
